Cookies remember website configuration (e.g. language preferences), login details, and products added to the shopping cart, even after a user leaves the site, but because cookie files are widely used to collect certain pieces of information, they can also be used to carry out advertising processes like behavioral profiling and retargeting. Understanding the role of cookies in advertising technology is critical to getting a better hold on online advertising and privacy.
Over the years, cookies have become the bread and butter of the Internet, and are currently the most common method of identifying users online and providing a personalized browsing experience. With growing awareness of privacy issues, and the introduction of laws like the EU’s General Data Protection Regulation (GDPR) and ePrivacy, comes a stronger need to educate users about what cookie files actually do, what information they can contain, and what types of cookies exist.
What Types of Cookies Are There?
There are essentially two types of cookies – first-party and third-party. From a technical perspective, there is no real difference between the two types of cookies; they both contain the same pieces of information and can perform the same functions.
However, the real difference between the types of cookies has to do with how they are created and subsequently used, which often depends on the context. There are different benefits of creating first- vs third-party cookies.
- First-party cookies are stored by the domain (website) you are visiting directly. They allow website owners to collect analytics data, remember language settings, and perform other useful functions that help provide a good user experience.
- Third-party cookies are created by domains other than the one you are visiting directly, hence the name third-party. They are used for cross-site tracking, retargeting and ad-serving.
- Just in case you were wondering, the existence of second-party cookies is a subject of contention. Second-party cookies are cookies that are transferred from one company (the one that created first-party cookies) to another company via some sort of data partnership. For example, an airline could sell its first-party cookies (and other first-party data such as names, email addresses, etc.) to a trusted hotel chain to use for ad targeting, which would mean the cookies become classed as second-party.
How Are First-Party and Third-Party Cookies Different?
Technically speaking, first- and third-party cookies are the same type of files. What’s different is how they are created and used by websites.
What Are First-Party Cookies?
First-party cookies are created by the host domain – the domain the user is visiting. These types of cookies are generally considered good; they help provide a better user experience and keep the session open. This basically means the browser is able to remember key pieces of information, such as which items you add to shopping carts, your username and passwords, and language preferences.
What Are Third-Party Cookies?
Third-party cookies are those created by domains other than the one the user is visiting at the time, and are mainly used for tracking and online-advertising purposes. They also allow website owners to provide certain services, such as live chats.
In addition to a first-party cookie being created by the host site, somenewssite.com, a third-party cookie is also created by ad.doubleclick.net. The reason for a third-party cookie is because the URL (ad.doubleclick.net) doesn’t match the domain (somenewssite.com). The cookie is left by a third-party advertising provider, hence the name third-party cookie.
Refer to the table below for a short breakdown of how first- and third-party cookies differ.
How Are Third-Party Cookies Created on a Website?
Now you might be thinking, how can ad.doubleclick.net or any other third party create a cookie if the user is on a different website at a given moment?
In order for a third-party cookie to be created, a request needs to be sent from the web page to the third party’s server. The file being requested is different depending on the use, but it can be an actual creative (an ad) or a tracking pixel, which is completely invisible to the user but acts as a tracking cookie in situations when there is no click event (for instance, when just a web page is opened) and click redirects cannot be used.
For example, if the third party was an advertising service like DoubleClick by Google, the request would be for a creative – the actual ad the visitor sees. A DoubleClick markup can allow a third-party cookie to be placed. Here’s what the unique ad markup could look like:
<a href="ad.doubleclick.net/some-other-parameters-specific-to-this-ad" target="_blank" rel="noopener"><img src="ad.doubleclick.net/the-extension-to-the-creative"></a>
When the web page loads, the above ad markup would also load and a request would be sent off to ad.doubleclick.net/the-extension-to-the-creative to retrieve the image and assign a cookie to the user at the same time.
Different third parties may request different files from their web servers and send them back to the browser.
Examples of Third-Party Services That Leave Cookies
There are a number of third-party service providers that usually leave cookies in a user’s browser. Here a few of the main ones:
Ad retargeting involves following website visitors who have previously visited your website around the web and showing them ads for the products or services they’ve viewed or interacted with previously. Retargeting works across different channels, including social media, display, and email.
To learn more, read our post about ad retargeting.
Most social-media plugins that enable users to log in, share and like content on third-party websites will place cookies on your device.
In this way, the social-media sites that these cookies come from can track the sites you visit and send you relevant ads when you go back to these social media sites. Even if you are not signed in to your account, these cookies will still follow you by identifying your cookies, using deterministic matching, and sometimes fingerprinting your device to identify you.
You can find out more about device fingerprinting in one of our previous posts.
As far as cookies are concerned, live-chat popups work in a similar way to social buttons. Live-chat services will leave a cookie in your browser to streamline the user experience.
For example, because the live-chat popup can identify you, the next time you visit the chat box, it will remember your name and all the conversation history. Of course, this data is removed as you delete your cookies or when they expire.
It’s important to mention that first-party cookies can also be used for cross-site tracking, but this would mean that the tracking software (script) would have to be hosted under the website’s domain.
How Do Browsers Treat First-Party and Third-Party Cookies?
First-party cookies, as mentioned above, are created directly by the website whenever a user visits the site. Generally speaking, most browsers accept first-party cookies by default, as their primary role is to allow customization and improve user experience.
The cookie that the specific site stores will be used to remember information about the user and their behavior. With first-party cookies, it is up to the website to decide what information to collect and store.
The big limitation of first-party cookies is that they can be read only when the user is visiting the domain of the website/publisher. This makes them useless for advertising purposes (e.g. retargeting) on other websites.
Third-party cookies (also known as tracking cookies or trackers) are created by “parties” other than the website that the user is currently visiting – providers of advertising, retargeting, analytics and tracking services.
Consider this example:
When you visit cnn.com and read a few articles, cnn.com will create a first-party cookie and save it to your computer. Because cnn.com (like most other publishers) uses online ads as a way to monetize its content, the ads you see on cnn.com will also create a cookie (e.g. in ads.somedsp.com domain) and save it to your computer.
As these cookies are not created by cnn.com, they are classified as third-party cookies.
A website can use a number of different third-party trackers (or cookies) that collect user information. This information can include data such as the user’s behavior on the site, location and device type – which is passed on from the website.
Third-party trackers can also track a user’s behavior, such as the content they view on that website and the things they click on (e.g. products and ads). The trackers create third-party cookies and use them to display ads to the user when they visit different websites.
For example, if a user visits bestbuy.com and clicks on a product, third-party trackers will collect and analyze the information about that user and their activity on bestbuy.com. Then, if that user leaves bestbuy.com and accesses a different website, such as techcrunch.com, the user could be shown an ad for that exact same product or something similar (e.g. another TV or another electrical product).
The way it works is that both bestbuy.com and techcrunch.com load a piece of code from an ad server (e.g. ad.doubleclick.net). When the user navigates to either website, the piece of code loaded from ad.doubleclick.net is from a different domain than the URL in the user’s browser, so the cookies set in ad.doubleclick.net are considered third-party cookies.
First-Party Cookies Used in a Third-Party Context
Some first-party cookies can be used to track users in the same way as third-party cookies in specific contexts.
For example, log-in boxes (widgets, plugins) to social sites like Facebook can be placed on different websites to facilitate commenting or “liking” content. This functionality uses first-party cookies in the third-party context; because the user interacts with the login widget (as in, visits its domain), the widget can leave a first-party cookie. Then, such first-party cookie is used a in third-party context, and can enable cross-site tracking.
However, some internet browsers like Safari have methods of blocking this (i.e. Safari 11 and newer).
Apple’s Intelligent Tracking Prevention (ITP) and Cookies
Intelligent tracking prevention is a feature offered with Safari and in iOS 11 by default. It changes the way the Apple browser handles first-party cookies, which is different than most other browsers.
Its newest version, ITP 2.0, detects cross-site tracking and partitions (or isolates) first-party cookies, making it impossible to use them in a third-party context for tracking or analytics purposes. Some experts say that by introducing such strict rules to deal with third-party cookies, Apple sabotages the current economic model of the Internet.
Previous versions of Apple’s ITP (1.0 and 1.1) allowed cookies to be read and used in a “third-party context”, provided the user accessed the domain directly in the first 24 hours. That gave an unfair advantage to Facebook and Google, as the 24-hour purge didn’t have the same effect on them as on other sites because users visit these websites regularly and rarely log out.
With ITP 2.0, this is no longer possible.
Learn all about Intelligent Tracking Prevention (ITP) and find out how it works by reading our blog post.
Mozilla followed suit, and Firefox Version 50 (and later) currently offers a Safari-like “intelligent” functionality blocking unwanted third-party tracking cookies. A grey shield icon appears in the address bar when Firefox blocks tracking domains.
Its Tracking Protection was developed in collaboration with Disconnect and is based on a number of tracker blacklists to allow third-party cookies only from trusted providers.
To see what exactly is being blocked, you can still open the console to review the Security tab.
Safari and Firefox (and basically all other browsers available on the market) also offer more-or-less elaborate methods to block third-party cookies. However, most browsers offer some kind of cookie blocking method – but not all of them are based on blacklists or algorithms.
How to Disable Third-Party Cookies
Third-party cookies are blocked when a user does one or more of the following:
- Browses the web in private or incognito mode.
- Uses Safari as their web browser on Apple mobile devices, as it blocks third-party cookies by default.
- Changes the cookie and tracking settings in their browsers (detailed below).
- Uses Tor.
- Installs ad blockers or similar add-ons (Ghostery, Pivacy Badger etc).
Most browsers allow users to disable third-party cookies from the settings menu. Doing so will make the ads much less personalized, but shouldn’t otherwise compromise the browsing experience. There are numerous guides around the web detailing the steps to disable cookies for each particular browser, but we can give a short overview:
Click the ellipsis (three dots) symbol in the top-right corner and select Settings. Click View Advanced Settings and select Block Third-Party Cookies from the drop-down menu under Cookies.
In Internet Explorer, you have to click the gear icon in the top-right corner and select Internet Options. Then go to Privacy tab and click Advanced. Check the Override Automatic Cookie-Handling box, and set Third-Party Cookies to “Block.”
Click the three-lined icon in the top-right corner and select Settings. Then, click Show Advanced Settings at the bottom. Click on Content Settings in the Privacy section. Under Cookies, check the Block Third-Party Cookies and Site Data option and click Done.
Click the three-lined icon in the top-right corner and select Options (PC) or Preferences (Mac). Go to the Privacy tab and under History, set Firefox Will to Use Custom Settings for History. Then set Accept Third-Party Cookies to “Never.”
Third-party cookies are turned off by default, but it never hurts to double check. Pull down the Safari menu and select the Privacy tab. Choose the option to block cookies from third parties and advertisers.
How to See Which Cookies Are Created When You Visit Websites
There are a number of methods that determine what cookies a website stores in your browser. You can do this by installing a dedicated cookie-management browser plugin or by using the browser’s developer console.
Installing a user-friendly cookie-management plugin is the easiest way to analyze first- and third- party cookies placed by websites, and to block them selectively when needed. The most popular cookie plugins for browsers include:
Browser Development Console
Using the development console in your Internet browser is one of the easiest methods to see all the cookies stored by particular websites. You can also determine which of the cookies stored in your browser are first-party cookies and which are third-party. First-party cookies will share the same domain as the website you are currently visiting.
Here’s how to see the cookies:
For Google Chrome, follow these steps:
- Open your Chrome browser and type the URL of the site you want to analyze.
- To open the console, use the shortcut Ctrl + Shift + I to run the inspect console, or Ctrl + Shift + D to run the developer console.
- Once the console is open, you can view the cookies installed by the site by clicking on the Application tab at the top right of the console.
If you prefer to use Mozilla’s Firefox, you can open the browser’s developer console:
- Open the site you want to analyze.
- Open the Storage Inspector by selecting Storage Inspector from the Web Developer submenu in the Firefox Menu Panel (or the Tools menu if you display the menu bar or are on Mac OS X), or by pressing Shift + F9 keyboard shortcut.
- The Toolbox will appear at the bottom of the browser window with the Storage Inspector activated. It’s just called Storage in the Developer Toolbox.
- Select Cookies on the left to see the cookies created by the website.
The Future of First-Party and Third-Party Cookies
For many years now, third-party cookies have been the cornerstone of online advertising, but their days seem to be numbered.
Today, advertisers and publishers are not only fighting the increasingly popular ad blockers and other methods that block third-party tracking, but they now also have to deal with privacy-centered regulations, such as the GDPR. On top of that comes the growing awareness of privacy issues associated with third-party cookies propelled by the media.
And although there are a few alternatives to third-party cookies, it seems that the only way forward is by making the online-advertising ecosystem more focused on openness, transparency and communicating directly to users, rather than on obscure methods of collecting their data without their knowledge or consent.
Every player in online advertising, from publishers to AdTech vendors, should focus on providing value and great user experiences to users willing share their data.
But given how user data has been collected and shared previously, this shift will not be an easy – neither from a technical perspective nor mindset.